NEC Bottom-up Implementation

Bottom-up implementation offers other advantages and disadvantages. If targets are more concrete and defined at a lower level, and efforts are focused on achieving them in specific environments, then shortfalls and shortcomings can be detected and checked more easily, both in terms of technology and resource limitations.

In bottom-up implementation, more concrete and less ambitious goals can be defined. Therefore, the process will start with more realistic objectives consistent with possibilities and technology that already exists. Moreover, once the initial low level objectives are accomplished, the process can scale gradually towards more strategic objectives, up to the organization’s ultimate level of ambition. The obvious disadvantage of this type of implementation is related to compliance with strategic objectives; the objectives would depend on the achievements of previous phases. Thus, the NEC implementation is more erratic, but also more realistic, and the NEC establishment could deviate from its original purpose. Of course, real life is not so black and white, and eventually in the most cases, the chosen approach is a hybrid of both. Therefore, NECCS must adapt its plan to the NEC implementation approach.

[90]

8.6.

_{NECCS. The Industry}

The IT industrial sector is mainly responsible for providing physical implementation to meet NECCS requirements. This sector, together with academic and private sectors, is co-responsible, for the development of the technology itself.

It is vital to establish an organized public-private collaborative environment to develop efficient technological solutions to meet NEC security needs.

Initiatives such as NCOIC, 60occur when the most reputable IT companies join efforts to “accelerate the global implementation of NEC principles and systems and to improve information sharing among various communities of interest for the betterment of their productivity, interactivity, safety, and security.”61This kind of effort seems to be enough to meet the demands of important customers like governments, NATO, EU, etc. However, as has been stated in a previous section, there is a lack of reliable physical implementations which provide an efficient way to address some critical security issues. Furthermore, expectations are not very encouraging since today’s environment is conditioned by a global financial crisis. As a result, private companies cannot conduct self-financed research at the same level as in the past, and R&D&I activities could decline in the near future.

In fact, the last report of European Commission's 2010 "EU Industrial R&D Investment Scoreboard" shows that the worldwide reduction in 2009 was 1.9%; R&D investment by top EU companies fell by 2.6%, and in the US by 5.1%.

In this issue there are two main actors, industry and public sector, that traditionally have two different motivations for business. Industry is driven by financial interests and looks for economic benefits. On the other hand, the public sector - governments and public organizations - is driven by the general public interest and seeks the safety and welfare of all its members. Hence, the first step has to be taken by the public sector, which in turn encourages the private sector, especially industry. To accomplish this, the public sector has to invest money. Moreover, it

60

NCOIC: Network Centric Operations Industry Consortium. 61

NCOIC mission extracted from www.ncoic.org

[91]

will invest if public sector authorities understand clearly that NEC is the way to move forward. For that reason it is essential to conduct an awareness campaign addressed to senior public authorities.

8.7.

_{NECCS. The Culture}

Ultimately, NEC presents a change in the way business is done. Thus, traditional pillars, such as hierarchical communication flow and decision making process conducted exclusively by top officials or executives, will be replaced by other communication and decision making models that are more dynamic and participatory.

The NEC revolution entails specific changes in the way to face the security requiring not only a change in applications, techniques, procedures, and policies, but in mentality. These lead to an NECCS revolution as well.

The NECCS revolution entails the following changes: a. From security policy based on protecting the

information anytime and anywhere to security policy based on protecting the information where, how, and when it is needed.62

b. From security policy based on protecting the information at any cost to security policy based on protecting the information when required to achieve information superiority proportionally to the results expected. c. From security policy based on confidentiality

protection to security based on balancing different security aspects like: integrity of information, integrity of labels, authorship and source guarantee, sender and receiver non-repudiation, availability of information, availability and resilience of computers, computers networks and information

62 _{“Just in case” principle refers to the behavior related to the indiscriminate implementation of} security solutions without having a clear return of the inversion or without saving a proportion between investment and expected benefits.

Principle of efficiency refers to the behavior related to the systematic and planned implementation of

security solutions, considering the proportion between investment and expected benefits.

[92]

systems, need to know, and information confidentiality.

d. From rigid security policy based on immovable tenets to flexible and dynamic security policy based on basic principles and dynamic guidance.

e. From security decisions taken by people in the higher echelons of the organization and security community to security decisions taken in an extended, participatory, and inclusive process.

f. From security based on protecting information systems, information flows, and network perimeters to security based on protecting separate pieces of information.

g. From security based on risk avoidance to security based on permanent and continuous risk analysis.

The change of mentality should start with the security community. When this community is aligned with NECCS principles, then it will be time to begin the comprehensive security training, awareness, and exercise program addressed to the whole NEC community. This will enable the revolution.

There is a matter related to the issue expressed in the previous section concerning whether top down or bottom up is the way to approach an NEC implementation. The question is: according to tendencies in the global cyber domain, like it or not, will the NEC concept prevail?

In the more than likely case that NEC will consolidate due to the natural evolution of the information age, the bottom-up or hybrid approach to NEC implementation has to be tackled because it will be easier and more feasible to adapt the functional requirements to the technology available than the opposite. Furthermore, the top- down approach will require enormous amounts of money from the public sector. In these times technology evolves very fast, and new applications, concepts and operations, and philosophies of action are constantly being developed. These are often better ways of doing things and bring a new set of benefits. Private sector, civilian, and non-governmental organizations utilize new forms of communication. In fact, the public sector is no stranger to these innovations since the private-public collaboration is the only way ahead.

However, it is also true that new cultures focused on improving the operability could undervalue the need for implementing emerging security technology solutions. Flexibility, trust, and confidence in communications, connections, and interactions are enhanced, and the trend is the convergence of networks and systems. However, all these advantages bring with them more new risks, and vulnerabilities.

In this environment, more than ever security is the key; but security must be aligned with the organization’s mission.

[93]

8.8.

_{NECCS. The Costs and Benefits}

It is very difficult to identify and quantify the real costs associated with the implementation of security measures in an NEC; consequently, it is very difficult to achieve a reliable costs/benefits ratio.

In addition, it is not easy to identify which invested resources are efficient and are the result of the application of a plan based on principle of efficiency, and which are inefficient and are the result of indiscriminate and “paranoid” implementation of security controls.

Below are described some of the costs and the benefits of an NECCS implementation.